Aries RSA: securing exported services with ExportPolicy

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Aries RSA: securing exported services with ExportPolicy

Christian

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian

Reply | Threaded
Open this post in threaded view
|

Re: Aries RSA: securing exported services with ExportPolicy

Christian Schneider
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist

Reply | Threaded
Open this post in threaded view
|

AW: Aries RSA: securing exported services with ExportPolicy

Christian

It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote.


Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist

Reply | Threaded
Open this post in threaded view
|

Re: Aries RSA: securing exported services with ExportPolicy

Christian Schneider
Any webservice exported using blueprint is accessible from remote. You will only not see it as a rsa remote service. 

What I meant is. Can you export your service using rsa but without an Export policy if you add the interceptor as a service property? I am not sure if this kind of interceptors work with the current cxf dosgi versions.

In general the recommended practice for securing services is using a CXF feature and refer to it as an intent. For example the new CXF logging feature registers itself as an intent.
https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90

The rest example readme shows how to add such an intent to your service:
https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
(Basically you simply add a service property "service.exported.intents" with your intent name as value).

This way you could create a feature that adds the security interceptors and export it with intent name "mysecurity" and then add the service property above to all services that should be secured.

The ExportPolicy is only needed if you want to add this property transparently to your services without touching them.

Christian

Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <[hidden email]>:

It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote.


Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist

Reply | Threaded
Open this post in threaded view
|

AW: Aries RSA: securing exported services with ExportPolicy

Christian

I was not able to add an interceptor by setting a service property (I used "org.apache.cxf.ws.in.interceptors").


But I followed your advice and tried to use a CXF feature. I noticed that there is a ready-to-use JAASAuthenticationFeature so I registered it as a service intend. If I understand it right I can select the realm to use by setting the contextname of the feature but it is also possible to choose a specific group or user?


Thanks

Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 26. Oktober 2018 12:44:05
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Any webservice exported using blueprint is accessible from remote. You will only not see it as a rsa remote service. 

What I meant is. Can you export your service using rsa but without an Export policy if you add the interceptor as a service property? I am not sure if this kind of interceptors work with the current cxf dosgi versions.

In general the recommended practice for securing services is using a CXF feature and refer to it as an intent. For example the new CXF logging feature registers itself as an intent.
https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90

The rest example readme shows how to add such an intent to your service:
https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
(Basically you simply add a service property "service.exported.intents" with your intent name as value).

This way you could create a feature that adds the security interceptors and export it with intent name "mysecurity" and then add the service property above to all services that should be secured.

The ExportPolicy is only needed if you want to add this property transparently to your services without touching them.

Christian

Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <[hidden email]>:

It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote.


Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist

Reply | Threaded
Open this post in threaded view
|

Re: Aries RSA: securing exported services with ExportPolicy

Christian Schneider
Hi Christian,

the JAASAuthenticationFeature only does authentication. 
When deployed in karaf the default realm should be fine.

For authorisation see e.g the SimpleAuthorizingInterceptor. 

Christian

Am Mo., 29. Okt. 2018 um 09:42 Uhr schrieb Niehues, Christian <[hidden email]>:

I was not able to add an interceptor by setting a service property (I used "org.apache.cxf.ws.in.interceptors").


But I followed your advice and tried to use a CXF feature. I noticed that there is a ready-to-use JAASAuthenticationFeature so I registered it as a service intend. If I understand it right I can select the realm to use by setting the contextname of the feature but it is also possible to choose a specific group or user?


Thanks

Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 26. Oktober 2018 12:44:05
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Any webservice exported using blueprint is accessible from remote. You will only not see it as a rsa remote service. 

What I meant is. Can you export your service using rsa but without an Export policy if you add the interceptor as a service property? I am not sure if this kind of interceptors work with the current cxf dosgi versions.

In general the recommended practice for securing services is using a CXF feature and refer to it as an intent. For example the new CXF logging feature registers itself as an intent.
https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90

The rest example readme shows how to add such an intent to your service:
https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
(Basically you simply add a service property "service.exported.intents" with your intent name as value).

This way you could create a feature that adds the security interceptors and export it with intent name "mysecurity" and then add the service property above to all services that should be secured.

The ExportPolicy is only needed if you want to add this property transparently to your services without touching them.

Christian

Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <[hidden email]>:

It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote.


Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist

Reply | Threaded
Open this post in threaded view
|

AW: Aries RSA: securing exported services with ExportPolicy

Christian

Hi Christian,


meanwhile I was also able to access a simple CXF endpoint from remote that has been defined in blueprint, including authorization and authentication. My only remaining problem with that solution is that I don't know how to define something like a placeholder for the address value to get a IP specific address. A placeholder definition value like {{hostIP}} doesn't seems to be replaced.


Is there maybe another way to achieve this? 


Thanks

Christian


--
Christian Niehues
Tel.: +49 (0)221 820 07 27

----------------------------------------------------------------
ITS Digital Solutions GmbH
Dillenburger Str. 77
D-51105 Köln
Tel.: +49 (0)221 820 07 0
Fax : <a href="tel:%2B49%20%280%29221%20820%2007%2022" value="&#43;492218200722" target="_blank" style="color:rgb(17,85,204)" id="LPNoLP">+49 (0)221 820 07 22
----------------------------------------------------------------
Sitz der Gesellschaft: Dortmund
Amtsgericht Dortmund, HRB 28563
Geschäftsführer: Gunnar Haack, Ludger Schulte, Heinrich Toben, Raimund Schipp, Ralf Petersilka 
----------------------------------------------------------------

Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.


Von: Christian Schneider <[hidden email]>
Gesendet: Montag, 29. Oktober 2018 16:57:14
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Hi Christian,

the JAASAuthenticationFeature only does authentication. 
When deployed in karaf the default realm should be fine.

For authorisation see e.g the SimpleAuthorizingInterceptor. 

Christian

Am Mo., 29. Okt. 2018 um 09:42 Uhr schrieb Niehues, Christian <[hidden email]>:

I was not able to add an interceptor by setting a service property (I used "org.apache.cxf.ws.in.interceptors").


But I followed your advice and tried to use a CXF feature. I noticed that there is a ready-to-use JAASAuthenticationFeature so I registered it as a service intend. If I understand it right I can select the realm to use by setting the contextname of the feature but it is also possible to choose a specific group or user?


Thanks

Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 26. Oktober 2018 12:44:05
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Any webservice exported using blueprint is accessible from remote. You will only not see it as a rsa remote service. 

What I meant is. Can you export your service using rsa but without an Export policy if you add the interceptor as a service property? I am not sure if this kind of interceptors work with the current cxf dosgi versions.

In general the recommended practice for securing services is using a CXF feature and refer to it as an intent. For example the new CXF logging feature registers itself as an intent.
https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90

The rest example readme shows how to add such an intent to your service:
https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
(Basically you simply add a service property "service.exported.intents" with your intent name as value).

This way you could create a feature that adds the security interceptors and export it with intent name "mysecurity" and then add the service property above to all services that should be secured.

The ExportPolicy is only needed if you want to add this property transparently to your services without touching them.

Christian

Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <[hidden email]>:

It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote.


Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist

Reply | Threaded
Open this post in threaded view
|

Re: Aries RSA: securing exported services with ExportPolicy

Christian Schneider
In plain CXF you can specify the endpoint address which can include an IP Adress but there are no placeholders.
What do you try to achieve with a specific IP?

Christian

Am Fr., 2. Nov. 2018 um 09:56 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi Christian,


meanwhile I was also able to access a simple CXF endpoint from remote that has been defined in blueprint, including authorization and authentication. My only remaining problem with that solution is that I don't know how to define something like a placeholder for the address value to get a IP specific address. A placeholder definition value like {{hostIP}} doesn't seems to be replaced.


Is there maybe another way to achieve this? 


Thanks

Christian


--
Christian Niehues
Tel.: +49 (0)221 820 07 27

----------------------------------------------------------------
ITS Digital Solutions GmbH
Dillenburger Str. 77
D-51105 Köln
Tel.: +49 (0)221 820 07 0
Fax : <a href="tel:%2B49%20%280%29221%20820%2007%2022" value="+492218200722" style="color:rgb(17,85,204)" id="m_-6766005563206093230LPNoLP" target="_blank">+49 (0)221 820 07 22
----------------------------------------------------------------
Sitz der Gesellschaft: Dortmund
Amtsgericht Dortmund, HRB 28563
Geschäftsführer: Gunnar Haack, Ludger Schulte, Heinrich Toben, Raimund Schipp, Ralf Petersilka 
----------------------------------------------------------------

Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.


Von: Christian Schneider <[hidden email]>
Gesendet: Montag, 29. Oktober 2018 16:57:14
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Hi Christian,

the JAASAuthenticationFeature only does authentication. 
When deployed in karaf the default realm should be fine.

For authorisation see e.g the SimpleAuthorizingInterceptor. 

Christian

Am Mo., 29. Okt. 2018 um 09:42 Uhr schrieb Niehues, Christian <[hidden email]>:

I was not able to add an interceptor by setting a service property (I used "org.apache.cxf.ws.in.interceptors").


But I followed your advice and tried to use a CXF feature. I noticed that there is a ready-to-use JAASAuthenticationFeature so I registered it as a service intend. If I understand it right I can select the realm to use by setting the contextname of the feature but it is also possible to choose a specific group or user?


Thanks

Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 26. Oktober 2018 12:44:05
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Any webservice exported using blueprint is accessible from remote. You will only not see it as a rsa remote service. 

What I meant is. Can you export your service using rsa but without an Export policy if you add the interceptor as a service property? I am not sure if this kind of interceptors work with the current cxf dosgi versions.

In general the recommended practice for securing services is using a CXF feature and refer to it as an intent. For example the new CXF logging feature registers itself as an intent.
https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90

The rest example readme shows how to add such an intent to your service:
https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
(Basically you simply add a service property "service.exported.intents" with your intent name as value).

This way you could create a feature that adds the security interceptors and export it with intent name "mysecurity" and then add the service property above to all services that should be secured.

The ExportPolicy is only needed if you want to add this property transparently to your services without touching them.

Christian

Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <[hidden email]>:

It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote.


Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist

Reply | Threaded
Open this post in threaded view
|

AW: Aries RSA: securing exported services with ExportPolicy

Christian

I want to be able to access the CXF endpoint from remote which is not possible if I use localhost or something like that. So I thought I have to set the address in relation to the IP of the machine its installed on. That was the reason I started to use Aries RSA and the ExportPolicy.


Christian


Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 2. November 2018 10:29:38
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
In plain CXF you can specify the endpoint address which can include an IP Adress but there are no placeholders.
What do you try to achieve with a specific IP?

Christian

Am Fr., 2. Nov. 2018 um 09:56 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi Christian,


meanwhile I was also able to access a simple CXF endpoint from remote that has been defined in blueprint, including authorization and authentication. My only remaining problem with that solution is that I don't know how to define something like a placeholder for the address value to get a IP specific address. A placeholder definition value like {{hostIP}} doesn't seems to be replaced.


Is there maybe another way to achieve this? 


Thanks

Christian


--
Christian Niehues
Tel.: +49 (0)221 820 07 27

----------------------------------------------------------------
ITS Digital Solutions GmbH
Dillenburger Str. 77
D-51105 Köln
Tel.: +49 (0)221 820 07 0
Fax : <a href="tel:%2B49%20%280%29221%20820%2007%2022" value="&#43;492218200722" style="color:rgb(17,85,204)" id="m_-6766005563206093230LPNoLP" target="_blank">+49 (0)221 820 07 22
----------------------------------------------------------------
Sitz der Gesellschaft: Dortmund
Amtsgericht Dortmund, HRB 28563
Geschäftsführer: Gunnar Haack, Ludger Schulte, Heinrich Toben, Raimund Schipp, Ralf Petersilka 
----------------------------------------------------------------

Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.


Von: Christian Schneider <[hidden email]>
Gesendet: Montag, 29. Oktober 2018 16:57:14
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Hi Christian,

the JAASAuthenticationFeature only does authentication. 
When deployed in karaf the default realm should be fine.

For authorisation see e.g the SimpleAuthorizingInterceptor. 

Christian

Am Mo., 29. Okt. 2018 um 09:42 Uhr schrieb Niehues, Christian <[hidden email]>:

I was not able to add an interceptor by setting a service property (I used "org.apache.cxf.ws.in.interceptors").


But I followed your advice and tried to use a CXF feature. I noticed that there is a ready-to-use JAASAuthenticationFeature so I registered it as a service intend. If I understand it right I can select the realm to use by setting the contextname of the feature but it is also possible to choose a specific group or user?


Thanks

Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 26. Oktober 2018 12:44:05
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Any webservice exported using blueprint is accessible from remote. You will only not see it as a rsa remote service. 

What I meant is. Can you export your service using rsa but without an Export policy if you add the interceptor as a service property? I am not sure if this kind of interceptors work with the current cxf dosgi versions.

In general the recommended practice for securing services is using a CXF feature and refer to it as an intent. For example the new CXF logging feature registers itself as an intent.
https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90

The rest example readme shows how to add such an intent to your service:
https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
(Basically you simply add a service property "service.exported.intents" with your intent name as value).

This way you could create a feature that adds the security interceptors and export it with intent name "mysecurity" and then add the service property above to all services that should be secured.

The ExportPolicy is only needed if you want to add this property transparently to your services without touching them.

Christian

Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <[hidden email]>:

It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote.


Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist

Reply | Threaded
Open this post in threaded view
|

Re: Aries RSA: securing exported services with ExportPolicy

Christian Schneider
This is not necessary. In both cases (cxf blueprint namespace as well as rsa) you can use a path like "/myservice". 
This uses the servlet transport. In karaf it is provided by pax web.

Christian

Am Fr., 2. Nov. 2018 um 10:52 Uhr schrieb Niehues, Christian <[hidden email]>:

I want to be able to access the CXF endpoint from remote which is not possible if I use localhost or something like that. So I thought I have to set the address in relation to the IP of the machine its installed on. That was the reason I started to use Aries RSA and the ExportPolicy.


Christian


Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 2. November 2018 10:29:38
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
In plain CXF you can specify the endpoint address which can include an IP Adress but there are no placeholders.
What do you try to achieve with a specific IP?

Christian

Am Fr., 2. Nov. 2018 um 09:56 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi Christian,


meanwhile I was also able to access a simple CXF endpoint from remote that has been defined in blueprint, including authorization and authentication. My only remaining problem with that solution is that I don't know how to define something like a placeholder for the address value to get a IP specific address. A placeholder definition value like {{hostIP}} doesn't seems to be replaced.


Is there maybe another way to achieve this? 


Thanks

Christian


--
Christian Niehues
Tel.: +49 (0)221 820 07 27

----------------------------------------------------------------
ITS Digital Solutions GmbH
Dillenburger Str. 77
D-51105 Köln
Tel.: +49 (0)221 820 07 0
Fax : <a href="tel:%2B49%20%280%29221%20820%2007%2022" value="+492218200722" style="color:rgb(17,85,204)" id="m_3224586504702104193m_-6766005563206093230LPNoLP" target="_blank">+49 (0)221 820 07 22
----------------------------------------------------------------
Sitz der Gesellschaft: Dortmund
Amtsgericht Dortmund, HRB 28563
Geschäftsführer: Gunnar Haack, Ludger Schulte, Heinrich Toben, Raimund Schipp, Ralf Petersilka 
----------------------------------------------------------------

Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.


Von: Christian Schneider <[hidden email]>
Gesendet: Montag, 29. Oktober 2018 16:57:14
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Hi Christian,

the JAASAuthenticationFeature only does authentication. 
When deployed in karaf the default realm should be fine.

For authorisation see e.g the SimpleAuthorizingInterceptor. 

Christian

Am Mo., 29. Okt. 2018 um 09:42 Uhr schrieb Niehues, Christian <[hidden email]>:

I was not able to add an interceptor by setting a service property (I used "org.apache.cxf.ws.in.interceptors").


But I followed your advice and tried to use a CXF feature. I noticed that there is a ready-to-use JAASAuthenticationFeature so I registered it as a service intend. If I understand it right I can select the realm to use by setting the contextname of the feature but it is also possible to choose a specific group or user?


Thanks

Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 26. Oktober 2018 12:44:05
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Any webservice exported using blueprint is accessible from remote. You will only not see it as a rsa remote service. 

What I meant is. Can you export your service using rsa but without an Export policy if you add the interceptor as a service property? I am not sure if this kind of interceptors work with the current cxf dosgi versions.

In general the recommended practice for securing services is using a CXF feature and refer to it as an intent. For example the new CXF logging feature registers itself as an intent.
https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90

The rest example readme shows how to add such an intent to your service:
https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
(Basically you simply add a service property "service.exported.intents" with your intent name as value).

This way you could create a feature that adds the security interceptors and export it with intent name "mysecurity" and then add the service property above to all services that should be secured.

The ExportPolicy is only needed if you want to add this property transparently to your services without touching them.

Christian

Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <[hidden email]>:

It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote.


Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist

Reply | Threaded
Open this post in threaded view
|

AW: Aries RSA: securing exported services with ExportPolicy

Christian

Sometimes it's that simple ;-)


Thanks for your help

Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 2. November 2018 17:22:28
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
This is not necessary. In both cases (cxf blueprint namespace as well as rsa) you can use a path like "/myservice". 
This uses the servlet transport. In karaf it is provided by pax web.

Christian

Am Fr., 2. Nov. 2018 um 10:52 Uhr schrieb Niehues, Christian <[hidden email]>:

I want to be able to access the CXF endpoint from remote which is not possible if I use localhost or something like that. So I thought I have to set the address in relation to the IP of the machine its installed on. That was the reason I started to use Aries RSA and the ExportPolicy.


Christian


Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 2. November 2018 10:29:38
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
In plain CXF you can specify the endpoint address which can include an IP Adress but there are no placeholders.
What do you try to achieve with a specific IP?

Christian

Am Fr., 2. Nov. 2018 um 09:56 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi Christian,


meanwhile I was also able to access a simple CXF endpoint from remote that has been defined in blueprint, including authorization and authentication. My only remaining problem with that solution is that I don't know how to define something like a placeholder for the address value to get a IP specific address. A placeholder definition value like {{hostIP}} doesn't seems to be replaced.


Is there maybe another way to achieve this? 


Thanks

Christian


--
Christian Niehues
Tel.: +49 (0)221 820 07 27

----------------------------------------------------------------
ITS Digital Solutions GmbH
Dillenburger Str. 77
D-51105 Köln
Tel.: +49 (0)221 820 07 0
Fax : <a href="tel:%2B49%20%280%29221%20820%2007%2022" value="&#43;492218200722" style="color:rgb(17,85,204)" id="m_3224586504702104193m_-6766005563206093230LPNoLP" target="_blank">+49 (0)221 820 07 22
----------------------------------------------------------------
Sitz der Gesellschaft: Dortmund
Amtsgericht Dortmund, HRB 28563
Geschäftsführer: Gunnar Haack, Ludger Schulte, Heinrich Toben, Raimund Schipp, Ralf Petersilka 
----------------------------------------------------------------

Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.


Von: Christian Schneider <[hidden email]>
Gesendet: Montag, 29. Oktober 2018 16:57:14
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Hi Christian,

the JAASAuthenticationFeature only does authentication. 
When deployed in karaf the default realm should be fine.

For authorisation see e.g the SimpleAuthorizingInterceptor. 

Christian

Am Mo., 29. Okt. 2018 um 09:42 Uhr schrieb Niehues, Christian <[hidden email]>:

I was not able to add an interceptor by setting a service property (I used "org.apache.cxf.ws.in.interceptors").


But I followed your advice and tried to use a CXF feature. I noticed that there is a ready-to-use JAASAuthenticationFeature so I registered it as a service intend. If I understand it right I can select the realm to use by setting the contextname of the feature but it is also possible to choose a specific group or user?


Thanks

Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Freitag, 26. Oktober 2018 12:44:05
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Any webservice exported using blueprint is accessible from remote. You will only not see it as a rsa remote service. 

What I meant is. Can you export your service using rsa but without an Export policy if you add the interceptor as a service property? I am not sure if this kind of interceptors work with the current cxf dosgi versions.

In general the recommended practice for securing services is using a CXF feature and refer to it as an intent. For example the new CXF logging feature registers itself as an intent.
https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90

The rest example readme shows how to add such an intent to your service:
https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
(Basically you simply add a service property "service.exported.intents" with your intent name as value).

This way you could create a feature that adds the security interceptors and export it with intent name "mysecurity" and then add the service property above to all services that should be secured.

The ExportPolicy is only needed if you want to add this property transparently to your services without touching them.

Christian

Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <[hidden email]>:

It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote.


Christian



Von: Christian Schneider <[hidden email]>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [hidden email]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
 
Does it work if you set the interceptor directly on the service?

Christian

Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <[hidden email]>:

Hi,


I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details.


I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help:


props.put("service.exported.configs", "org.apache.cxf.ws");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync");
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");

com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages.

So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA?

Thanks,

Christian



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist



--
--
Christian Schneider

http://www.liquid-reality.de

Computer Scientist